Modify

Opened 7 years ago

Last modified 22 months ago

#6152 assigned defect

User can modify members for other modules

Reported by: axton.grams@… Owned by: Ryan J Ollos
Priority: highest Component: SvnAuthzAdminPlugin
Severity: critical Keywords:
Cc: Ryan J Ollos Trac Release: 0.11

Description (last modified by Ryan J Ollos)

If:

  1. User is authenticated against a project (projA)
  2. User has TRAC_ADMIN Access for projA
  3. User enters a path for another project with the following structure:
    http://svn/<trac_context>/projA/admin/subversion/svnauthz/editpath/projB%3A/
    
  4. User adds a path member to / -> axton

Then member axton will have access to module:path

Attachments (0)

Change History (5)

comment:1 Changed 7 years ago by Michael Renzmann

Description: modified (diff)

comment:2 Changed 7 years ago by Sergio Talens-Oliag

That is so because the user needs TRAC_ADMIN permission to use this module and that implies that he or she has VERSIONCONTROL_ADMIN permission.

To avoid this problem I've patched this module to allow it's use with the SVNAUTHZ_ADMIN permission, removing the need to have TRAC_ADMIN permission to be able to edit the file.

My patch is attached to the ticket #7493 (attachment:ticket:7493:svnauthadmin_permission.diff).

comment:3 Changed 7 years ago by Ryan J Ollos

Cc: Ryan J Ollos added; anonymous removed

comment:4 Changed 3 years ago by Ryan J Ollos

Owner: changed from Kis Gergely to Ryan J Ollos
Status: newassigned

comment:5 Changed 22 months ago by Ryan J Ollos

Description: modified (diff)

#11574 closed as a duplicate.

Modify Ticket

Action
as assigned The owner will remain Ryan J Ollos.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.